我有一个带有以下 beans.xml 文件的简单 Apache CXF 网络服务:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns="http://www.springframework.org/schema/security"
xmlns:ssec="http://cxf.apache.org/spring-security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd
http://cxf.apache.org/spring-security
http://cxf-spring-security.googlecode.com/svn/trunk/cxf-spring-security/src/main/resources/schemas/spring-security.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd">
<beans:import resource="classpath:META-INF/cxf/cxf.xml" />
<http auto-config='true' >
<http-basic/>
<anonymous enabled="false"/>
</http>
<beans:bean id="methodSecurityInterceptor"
class="org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor">
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="accessDecisionManager" ref="accessDecisionManager"/>
<beans:property name="securityMetadataSource">
<beans:value>
org.mycompany.com.CxfSpringSecuredService.HelloWorldImpl.sayHi=ROLE_OPERATOR
org.mycompany.com.CxfSpringSecuredService.HelloWorldImpl.sayHiAdmin*=ROLE_ADMIN,ROLE_SUPERVISOR
org.mycompany.com.CxfSpringSecuredService.HelloWorldImpl.deleteAccounts*=ROLE_SUPERVISOR
</beans:value>
</beans:property>
</beans:bean>
<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<beans:property name="decisionVoters">
<beans:list>
<beans:bean class="org.springframework.security.access.vote.RoleVoter" />
</beans:list>
</beans:property>
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user name="operator" password="operator" authorities="ROLE_OPERATOR" />
<user name="admin" password="admin" authorities="ROLE_ADMIN" />
<user name="sup" password="sup" authorities="ROLE_SUPERVISOR" />
</user-service>
</authentication-provider>
</authentication-manager>
<jaxws:endpoint
id="helloWorld"
implementor="org.mycompany.com.CxfSpringSecuredService.HelloWorldImpl"
address="/HelloWorld" />
</beans:beans>
我的 webservice 实现是以下三个简单的方法:
@WebService(endpointInterface = "org.mycompany.com.CxfSpringSecuredService.HelloWorld")
public class HelloWorldImpl implements HelloWorld {
public String sayHi(String text) {
SecurityContext context = SecurityContextHolder.getContext();
if (context != null){
Authentication authentication = context.getAuthentication();
if (authentication != null){
Collection<GrantedAuthority> roles = authentication.getAuthorities();
if (roles != null){
GrantedAuthority[] authorities = new GrantedAuthority[roles.size()];
roles.toArray(authorities);
for (int i = 0; i < authorities.length; i++)
text = text + " " + authorities[i];
}
}
}
return "Hello " + text;
}
public String sayHiAdmin(){
return "Hello admin";
}
public String deleteAccounts(String name){
return "Accounts deleted by " + name;
}
}
我有一个 C# 客户端,它调用 Web 服务并在 SOAP 标头中传递身份验证信息。我知道我的客户正在传递身份验证信息,因为我在异常中收到以下消息:
The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Basic realm="Spring Security Application"'.
如果我发出无效的凭据。我发出正确的凭据,我得到每个 Web 服务调用的正确响应。到目前为止,一切都很好。
如果我为操作员传递凭据信息,并调用方法 deleteAccounts,我预计会出现与上述相同的授权错误,但 Web 服务方法被正确调用。
我查看了Spring Framework此处的文档,但无法确定可能缺少什么。
有任何想法吗?
TIA。
编辑:更正了用户配置。